Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method, comprising: forming, during access to a server, an association between a user and a first device used to access the server, wherein the association constitutes a first possession factor linking the user to the first device without reliance upon all things known by the user; sending a code to the first device; receiving the code and contact information for a second device associated with the user, wherein the contact information facilitates a second possession factor linking the user to the second device without reliance upon all things known by the user except for the contact information; recognizing, during a subsequent access to the server, the first device and therefore establish the first possession factor; sending a message to the second device in response to recognizing; obtaining a positively acknowledged message from the second device and therefore establish the second possession factor; and authenticating the user based upon the first possession factor and the second possession factor without reliance upon all things known by the user.
A method for authenticating a user involves associating the user with a first device (like a computer or phone) when they access a server. This creates a "possession factor" – proving they have that device. The server sends a code to the first device. The user provides contact information for a second device (another phone, etc.). This contact info becomes a second "possession factor." Later, when the first device accesses the server again, it's recognized, re-establishing the first possession factor. A message is sent to the second device, and a positive response from that device re-establishes the second possession factor. The user is then authenticated based on these two device-related possession factors, without needing them to remember passwords or other knowledge-based information.
2. The method of claim 1 wherein forming includes, in addition to the association, initially authenticating the user.
The method for authenticating a user by associating the user with a first device, sending a code to the first device, receiving contact information for a second device, recognizing the first device on subsequent access, sending a message to the second device, obtaining a positive response, and authenticating the user based on the two devices also requires initially authenticating the user during the first association. So, before creating the device association, the user needs to prove their identity somehow.
3. The method of claim 2 wherein initially authenticating the user is achieved by one or more of: receiving a username and password, receiving a client SSL certificate, receiving a one-time password, confirming a code sent to a user email address, and confirming a code sent to the second device.
The method of initially authenticating the user before creating a device association, as part of the multi-device authentication process, can be done in several ways: by receiving a standard username and password, by using a client-side SSL certificate, by receiving a one-time password (OTP), by confirming a code sent to the user's email address, or by confirming a code sent to the second device (the one providing contact information). These initial authentication methods confirm the user's identity before setting up the device-based authentication for later logins.
4. The method of claim 1 wherein recognizing includes one or more of: reading a cookie on the first device that uniquely identifies the first device, checking the IP address of the first device, checking the MAC address of the first device, and checking a unique browser identifier.
In the method for authenticating a user via multiple devices, recognizing the first device during subsequent access to the server (thereby re-establishing the first possession factor) involves several possibilities: reading a cookie on the first device that uniquely identifies it, checking the IP address of the first device, checking the MAC address of the first device, or checking a unique browser identifier. The system uses one or more of these methods to identify the returning device.
5. The method of claim 1 wherein the message includes a single gesture prompt to establish the positively acknowledged message.
In the method for authenticating a user using two devices, the message sent to the second device (the one linked by contact information) to obtain a positive acknowledgement includes a simple prompt. This could be a single button press, a swipe gesture, or some other single action the user can perform to confirm their identity on the second device. This single action establishes the positive acknowledgement.
6. The method of claim 1 wherein sending and receiving rely upon Internet Protocol network communications.
The method for authenticating a user via multiple devices, including sending codes and messages between the server, the first device, and the second device, relies on Internet Protocol (IP) network communication. All communication uses standard internet protocols (TCP/IP, HTTP/HTTPS, etc.) for sending data.
7. The method of claim 1 wherein sending and receiving rely upon short message service communications.
The method for authenticating a user via multiple devices, including sending codes and messages between the server, the first device, and the second device, relies on Short Message Service (SMS) communications. The messages sent to and from the second device are standard text messages.
8. The method of claim 1 wherein authenticating includes: passing a token from the server to a first server; associating, at the first server, the token with user identification; sending a message from the first server to the second device; receiving, at the first server, a positive acknowledgement of the message; and passing the user identification from the first server to the server.
The method for authenticating a user based on two devices also includes these steps: the server sends a token to a first server (another authentication service, for example). The first server associates this token with the user's identification. The first server then sends a message to the second device. Upon receiving a positive acknowledgement of the message at the first server, the first server sends the user's identification back to the original server, completing the authentication process. This allows offloading part of the authentication to another server.
9. The method of claim 1 wherein the first device and second device are the same physical device running two distinct software programs that are recognized by the server as separate communication endpoints.
In the multi-device authentication method, the first and second devices can be the *same* physical device. The key is that the server recognizes them as two separate communication endpoints, likely achieved via two distinct software programs or applications running on the same device. For example, a web browser and a dedicated mobile app on the same phone.
10. The method of claim 1 wherein the second device is identified by one or more of: a hardcoded user ID associated with an application on the second device, a device ID for the second device, a username and password on the second device, and external hardware associated with the second device.
In the method of authenticating a user using multiple devices, the second device (the one providing contact information) can be identified in several ways: a hardcoded user ID associated with an application on the second device, a unique device ID for the second device, a username and password on the second device itself, or external hardware associated with the second device (like a security key). The server uses one or more of these to ensure it's communicating with the correct device.
11. The method of claim 1 further comprising receiving a negatively acknowledged message from the second device.
The method of authenticating a user via multiple devices by forming an association with a first device, sending a code, receiving contact info for a second device, recognizing the first device, sending a message to the second device, obtaining a positive response, and authenticating the user also includes receiving a *negative* acknowledgement message from the second device. So, the second device can actively reject the authentication attempt.
12. The method of claim 11 wherein the negatively acknowledged message reports an unauthorized access attempt.
In the method for authenticating a user using multiple devices, if a negative acknowledgement message is received from the second device, this message specifically reports an unauthorized access attempt. This indicates that someone other than the legitimate user is trying to authenticate using the first device, and the user has denied the attempt via the second device.
13. The method of claim 1 wherein the contact information comprises one or more of: a telephone number, and a push notification address.
In the method of authenticating a user using multiple devices, the contact information provided for the second device includes a telephone number and/or a push notification address (like a token for Firebase Cloud Messaging or Apple Push Notification Service). This information allows the server to send messages or notifications to the second device.
14. The method of claim 1 wherein sending includes sending QR code for display by the first device.
In the method for authenticating a user via multiple devices, the "sending a message" step can involve sending a QR code that is displayed by the first device. The user then scans this QR code with the second device, establishing communication and proving possession of both devices.
Unknown
September 5, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.